NetWork | ZeroBOX

IP Address	Status	Action
104.21.44.192	Active	Moloch
154.39.174.239	Active	Moloch
162.0.231.6	Active	Moloch
164.124.101.2	Active	Moloch
172.67.153.64	Active	Moloch
195.161.62.100	Active	Moloch
198.49.23.145	Active	Moloch
20.255.200.185	Active	Moloch
45.33.6.223	Active	Moloch
91.195.240.123	Active	Moloch
84.54.50.66	Active	Moloch

Name	Response	Post-Analysis Lookup
www.poshkits.info	A 162.0.231.6	162.0.231.6
www.pymhn.top
www.fb99vn.com	A 104.21.12.203 A 172.67.153.64	172.67.153.64
www.drstephaniebest.com	A 198.49.23.145 CNAME ext-cust.squarespace.com A 198.185.159.144 A 198.49.23.144 A 198.185.159.145	198.185.159.145
www.gnhxxiazai03.com	A 20.255.200.185	20.255.200.185
www.nicejunq.com	A 91.195.240.123	91.195.240.123
www.ketocanadmqy.cloud	A 195.161.62.100	195.161.62.100
www.r1146.xyz	A 172.67.203.63 A 104.21.44.192	104.21.44.192
www.fstrainingllc.com	A 154.39.174.239	154.39.174.239
www.leshka-toshka.online
www.sqlite.org	A 45.33.6.223	45.33.6.223

TCP Requests

UDP Requests

POST 404 http://www.ketocanadmqy.cloud/ogeb/

GET 404 http://www.ketocanadmqy.cloud/ogeb/?zS=JCW7LwLHnn7ptjGjE5oXohZmdFlQQ26ARwAmaoNxO6ijvQN7ubUT60jiWusc3p3YeBdlnORuW+NtBTBOf6MBl7CRUR/NRW0MRl+FZL4=&lQHIIB=UDOd2iazjyW

GET 200 http://www.sqlite.org/2017/sqlite-dll-win32-x86-3190000.zip

POST 404 http://www.gnhxxiazai03.com/ogeb/

GET 404 http://www.gnhxxiazai03.com/ogeb/?zS=wBih4ktWfPNsySsqn3uI1HmQOkxE78XnlLTDvxJFz8Ksfyo9cnxjh72KIWiVUUXAXHwdyJ5YpLQGYf4Z+A02Vjn9hAcAu81BvwPbwlI=&lQHIIB=UDOd2iazjyW

POST 404 http://www.r1146.xyz/ogeb/

GET 404 http://www.r1146.xyz/ogeb/?zS=hQC9FzST15eBXJ4J4T0DlrZN3V4nndOGJI8rCOq0KQaVihaPabvY2aUaE4N/PK/Cku54qUwIUhcWHwQfhhinhH5BJGjDnxoo3iDp4OU=&lQHIIB=UDOd2iazjyW

POST 301 http://www.drstephaniebest.com/ogeb/

GET 400 http://www.drstephaniebest.com/ogeb/?zS=+v0OuBHGG6cw5ZwrQCjmtsYbU4xaGL5HoMfXaXw9oSi2F/e6KL+7wkfrHW9mkq7nBIGbSiwCyL8lMMQd9mW+kFWaqBx5WK5Isw5ml80=&lQHIIB=UDOd2iazjyW

POST 0 http://www.nicejunq.com/ogeb/

POST 403 http://www.nicejunq.com/ogeb/

GET 200 http://www.nicejunq.com/ogeb/?zS=61GncP3LZGSS1NuGOhw0w9YAjVqrgaXoImnMpoqiHfpClz+VkHF1OaSSbCiQjyR+WlMAeIDV0LjpJ/XsdXKhboCqPvNVkna3o/MBoBk=&lQHIIB=UDOd2iazjyW

POST 404 http://www.fb99vn.com/ogeb/

GET 404 http://www.fb99vn.com/ogeb/?zS=OXN+k+OlhXjl96bKh2NTgPCFs15ire34/TTevHac9SK8WXddN+80UbpDpODSd5z2qlIY7v82+nyluTO39li1mIxMKX8Jb/R8tbta/VI=&lQHIIB=UDOd2iazjyW

POST 404 http://www.poshkits.info/ogeb/

GET 404 http://www.poshkits.info/ogeb/?zS=AqRXXMRheGbbuzNJ7gUd3ELHirevyxJNjMj6aH1i+QGnsBV8j36ZsXkdOVofclXLXJuwnJ0etyY1DKNGveWcGaTGb3YRrubSnMygGeg=&lQHIIB=UDOd2iazjyW

POST 0 http://www.fstrainingllc.com/ogeb/

POST 200 http://www.fstrainingllc.com/ogeb/

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49186 -> 154.39.174.239:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 20.255.200.185:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49177 -> 91.195.240.123:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 198.49.23.145:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49180 -> 172.67.153.64:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49183 -> 162.0.231.6:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 198.49.23.145:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 198.49.23.145:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49176 -> 198.49.23.145:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 91.195.240.123:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 91.195.240.123:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 91.195.240.123:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 20.255.200.185:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 20.255.200.185:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 20.255.200.185:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 172.67.153.64:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 172.67.153.64:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49182 -> 172.67.153.64:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 104.21.44.192:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 104.21.44.192:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 104.21.44.192:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 104.21.44.192:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 104.21.44.192:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49166 -> 195.161.62.100:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 195.161.62.100:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 195.161.62.100:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 162.0.231.6:80	2031412	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 162.0.231.6:80	2031449	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49185 -> 162.0.231.6:80	2031453	ET MALWARE FormBook CnC Checkin (GET)	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts